Synology close serious leaks in Download and Video Station software




The Dutch security company Securify has found severe vulnerabilities in software from Synology. Through the vulnerabilities attackers could gain root access to NAS systems. Synology has the leak fixes.

The leak in Synology Video Station could remotely exploited is when users have enabled the public share setting to share videos. The person with whom a video was shared, the leak could exploit to gain full access to the NAS system, says Han Sahin of Securify. The vulnerability was in the script of the subtitle_codepage’ subtitle.cgi parameter and made ​​code-injection possible. Securify did however also several SQL injection vulnerabilities that the PostgreSQL database Video Station invade was to obtain further access.

In Synology’s Download Station software were several xss -kwetsbaarheden, Securify also discovered. The leaks were in the ‘Create Task upload’- download via file and “Create download task from URL’ options of Download Station. An attacker could create a specially crafted torrent file xss payload and if the Download Station user it imported, the payload was activated in the browser window. This way, attackers could steal session tokens, login information hijack and redirect the user to sites with malware.

According to Sahin are not all NAS users aware that their storage system forms a connecting link to their home network and thus security risks entails. He recommends that users of the Synology programs to update their software to the latest versions, in which the leak fixes. Download Station and Video Station are both installed about 7 million times.


In: Technology & Gadgets Asked By: [15459 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »